Author

Topic: [POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 141. (Read 465769 times)

member
Activity: 112
Merit: 10
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.


I have.. But if its a Pool issue its not their issue..

And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..

I dont care what people like or dont like..


Is this some sort of gridseed deal or are you just able to stick them into a works server room? Smiley
Thanks
Miles


I dont work for them and dont want to get flamed by all the silly noobs on this site.

But it is GAWMiners     Look them up if you want. They have been offering free hosting..   I got a 20 pack yesterday during the day, and was up and hashing last night
newbie
Activity: 55
Merit: 0
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.


I have.. But if its a Pool issue its not their issue..

And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..

I dont care what people like or dont like..


Is this some sort of gridseed deal or are you just able to stick them into a works server room? Smiley
Thanks
Miles
member
Activity: 112
Merit: 10
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.
I have.. But if its a Pool issue its not their issue..
And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..
I dont care what people like or dont like..
and why would you care for their help then?
how can it be a pool issue if their 22+ghs are jumping on and off at will?


ummmmm  How about you read the 25 post before this one???  before you open your mouth..
full member
Activity: 168
Merit: 100

Assumptions make poor foundations upon which to build any theory.  Though hard coding ip addresses will circumvent the problem for now, it may cause unexpected outages in the future if pw reconfigures the server network.


Sorry, I take back the word assumption if you're going to be semantic.  

Here's what I've seen, which I'm using to create my "theory":  I have 2 mining setups, both pointing to useast.wafflepool.com.  The two systems use different miners, one is using cgminer running under BAMT, the other is using cudaminer under win7.  Both systems are NAT'd behind a router running dd-wrt.  

With the difference in miners / systems, I don't think someone trojaning both my systems with different miners / OS's / authentications at the same time is likely.  With other people reporting the same issue, it makes a lot of sense that some sort of DNS hijack took place.  

I agree with you and don't recommend people hardcode an IP in their miner configs for long term use, but for the immediate future it would negate any sort of DNS issues should they continue.

I never suggested anyone infiltrated your systems with a trojan, and to rush to judgment that nothing else can be responsible other than a dns hijack, is a leap using poor reasoning.

Google "stratum client.reconnect", and notice that even if ip addresses are hard coded, you could still be vulnerable to this potential attack vector.

But as this would suggest a pool server vulnerability, I kept it private for a while to give pw a chance to collect whatever information he could to confirm or eliminate this possibility.

In simple English, within the legitimate code of most stratum mining software is a command called client.reconnect that can be issued by the server to tell any miner to switch to another server and port.  If a pool server vulnerability had been found and exploited, it would be possible to send your miner a client.reconnect command to go mine elsewhere, anywhere.

Here is a snippet from ckolivas/cgminer 3.7.2 code:


   if (!strncasecmp(buf, "client.reconnect", 16) && parse_reconnect(pool, params)) {
      ret = true;
      return ret;
   }


static bool parse_reconnect(struct pool *pool, json_t *val)
{
   char *url, *port, address[256];

   memset(address, 0, 255);
   url = (char *)json_string_value(json_array_get(val, 0));
   if (!url)
      url = pool->sockaddr_url;

   port = (char *)json_string_value(json_array_get(val, 1));
   if (!port)
      port = pool->stratum_port;

   sprintf(address, "%s:%s", url, port);

   if (!extract_sockaddr(address, &pool->sockaddr_url, &pool->stratum_port))
      return false;

   pool->stratum_url = pool->sockaddr_url;

   applog(LOG_NOTICE, "Reconnect requested from pool %d to %s", pool->pool_no, address);

   if (!restart_stratum(pool))
      return false;

   return true;
}


For those of you affected by the problem with detailed cgminer logs, (from cgminer/sgminer, not cgwatcher as it does not log such messages), may I suggest that you search for "reconnect requested" messages for any possible evidence of this method being used.
newbie
Activity: 4
Merit: 0

Assumptions make poor foundations upon which to build any theory.  Though hard coding ip addresses will circumvent the problem for now, it may cause unexpected outages in the future if pw reconfigures the server network.


Sorry, I take back the word assumption if you're going to be semantic. 

Here's what I've seen, which I'm using to create my "theory":  I have 2 mining setups, both pointing to useast.wafflepool.com.  The two systems use different miners, one is using cgminer running under BAMT, the other is using cudaminer under win7.  Both systems are NAT'd behind a router running dd-wrt. 

With the difference in miners / systems, I don't think someone trojaning both my systems with different miners / OS's / authentications at the same time is likely.  With other people reporting the same issue, it makes a lot of sense that some sort of DNS hijack took place. 

I agree with you and don't recommend people hardcode an IP in their miner configs for long term use, but for the immediate future it would negate any sort of DNS issues should they continue.
newbie
Activity: 56
Merit: 0
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.
I have.. But if its a Pool issue its not their issue..
And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..
I dont care what people like or dont like..
and why would you care for their help then?
how can it be a pool issue if their 22+ghs are jumping on and off at will?
member
Activity: 112
Merit: 10
GAWMiners restart my Hosted units and looks good now..  

Edit:  Yes Bill Just got on mine and they look to be restarting..

full member
Activity: 156
Merit: 100
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.


I have.. But if its a Pool issue its not their issue..

And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..

I dont care what people like or dont like..


I also have some hosted gridseeds and have send my hash rate from from 3-3.5 to 1.25mh/s in the past hour. I have emailed GAW and waiting to make sure everything is good on there end.

Did you get any answer from GAW?
newbie
Activity: 56
Merit: 0

since it is obvious that some one compiled cgminer or sgminer with a worm within, you probably should publicly post it here. and after that we will find the trojan link. omg do you think it is deeper... in wifi router's dns settings ?


I do not believe that to be the case.  But if it were a dns hack, cgminer or most other miner software would still continue to display x.wafflepool.com as the pool server name, and it would simply resolve to another ip address underneath.  If cgminer or other miner software shows the unexpected ip address as the server name, then something else must be the cause.  I suggested one possibility to pw, but he considered it to be unlikely.  We'll see.

there is a 50% possibility (either yes or no) that fbi cдeлaлo eмy пpeдлoжeниe oт кoтopoгo нeльзя oткaзaтьcя? ))
full member
Activity: 168
Merit: 100
both my miners had switched to 206.223.224.2 - cgminer (bamt) and cudaminer (win7), both rigs using google public dns 8.8.8.8.

Doing lookup on the bad ip:

nslookup 206.223.224.2
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    true.fiberpimp.net
Address:  206.223.224.2



wafflepool now resolves properly:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

While that sounds conclusive on the surface, did you ever run "nslookup useast.wafflepool.com" on dns server 8.8.8.8 and receive address 206.223.224.2 as a result?  And wasn't it 206.223.224.225 that we are all talking about?


No, right now it seems the us wafflepool.com endpoints are resolving properly when using google's dns:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

nslookup uswest.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    uswest.wafflepool.com
Address:  192.241.211.125

I'm assuming that when my miners went down, there was a DNS hijack taking place and if you'd tried resolving wafflepool at that point, you'd get the bad IP's.  Looks like currently things are back to normal but I suggest keeping a close eye on your miners, maybe even direct setting the endpoint IP's in cgminer.conf in case this attack starts back up.

Assumptions make poor foundations upon which to build any theory.  Though hard coding ip addresses will circumvent the problem for now, it may cause unexpected outages in the future if pw reconfigures the server network.
Cru
newbie
Activity: 3
Merit: 0
both my miners had switched to 206.223.224.2 - cgminer (bamt) and cudaminer (win7), both rigs using google public dns 8.8.8.8.

Doing lookup on the bad ip:

nslookup 206.223.224.2
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    true.fiberpimp.net
Address:  206.223.224.2



wafflepool now resolves properly:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

While that sounds conclusive on the surface, did you ever run "nslookup useast.wafflepool.com" on dns server 8.8.8.8 and receive address 206.223.224.2 as a result?  And wasn't it 206.223.224.225 that we are all talking about?


No, right now it seems the us wafflepool.com endpoints are resolving properly when using google's dns:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

nslookup uswest.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    uswest.wafflepool.com
Address:  192.241.211.125

I'm assuming that when my miners went down, there was a DNS hijack taking place and if you'd tried resolving wafflepool at that point, you'd get the bad IP's.  Looks like currently things are back to normal but I suggest keeping a close eye on your miners, maybe even direct setting the endpoint IP's in cgminer.conf in case this attack starts back up.

I am completed illiterate when it comes to this kind of stuff.  What is the consensus here, is it something wrong on our machines/network or something wrong with Wafflepool? Or something that is in between?
newbie
Activity: 4
Merit: 0
both my miners had switched to 206.223.224.2 - cgminer (bamt) and cudaminer (win7), both rigs using google public dns 8.8.8.8.

Doing lookup on the bad ip:

nslookup 206.223.224.2
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    true.fiberpimp.net
Address:  206.223.224.2



wafflepool now resolves properly:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

While that sounds conclusive on the surface, did you ever run "nslookup useast.wafflepool.com" on dns server 8.8.8.8 and receive address 206.223.224.2 as a result?  And wasn't it 206.223.224.225 that we are all talking about?


No, right now it seems the us wafflepool.com endpoints are resolving properly when using google's dns:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

nslookup uswest.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    uswest.wafflepool.com
Address:  192.241.211.125

I'm assuming that when my miners went down, there was a DNS hijack taking place and if you'd tried resolving wafflepool at that point, you'd get the bad IP's.  Looks like currently things are back to normal but I suggest keeping a close eye on your miners, maybe even direct setting the endpoint IP's in cgminer.conf in case this attack starts back up.
member
Activity: 112
Merit: 10
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.


I have.. But if its a Pool issue its not their issue..

And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..

I dont care what people like or dont like..

newbie
Activity: 56
Merit: 0
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??
why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.
Cru
newbie
Activity: 3
Merit: 0
When I looked this morning, it was still showing useast.wafflepool.com as the site where I was submitting shares.
full member
Activity: 168
Merit: 100
Whoever is seeing the DNS issues, can you post what your DNS is, any any lookups and results for our endpoints?  We haven't changed anything in terms of DNS in weeks, and its very disconcerting that multiple people are seeing this.

Name:   uswest.wafflepool.com
Address: 192.241.211.125
Name:   useast.wafflepool.com
Address: 162.243.89.19
Name:   eu.wafflepool.com
Address: 95.85.61.208

all VIA ISP DNS (I'd rather not say who)

The next time the problem occurs I'll give you a network capture of it!

Please do, I've got an email from another person seeing the same thing (disconnect after a while and on reconnect, getting a different pool entirely).  Which is very disconcerting....

pw, I sent you a pm containing some information that I decided not to leave posted publicly, as whoever is responsible for this is likely reading this thread.

since it is obvious that some one compiled cgminer or sgminer with a worm within, you probably should publicly post it here. and after that we will find the trojan link. omg do you think it is deeper... in wifi router's dns settings ?


I do not believe that to be the case.  But if it were a dns hack, cgminer or most other miner software would still continue to display x.wafflepool.com as the pool server name, and it would simply resolve to another ip address underneath.  If cgminer or other miner software shows the unexpected ip address as the server name, then something else must be the cause.  I suggested one possibility to pw, but he considered it to be unlikely.  We'll see.
member
Activity: 112
Merit: 10
What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??


or better stats, you can see here: Better Stats. Please be aware, this site is run 100% by another party and uses our API for data. It is in no way managed or affiliated with us.

Hash Rate: 0.00 kH/s (15min approximated)
Worker   15m Hashrate   15m Stalerate
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   0.00 kH/s   0.00%

Bitcoins sent to you: 0.00000000
Bitcoins earned (not yet sent): 0.01666397
Bitcoins unconverted (approximate): 0.00374650
click to see coin balances

Recent Payouts
Date   Amount   TxnId

Recent Shifts
ID   Ended   Shares (yours / total)   Blocks Found
15335   OPEN   0 / 44722688   1
15334   2014-03-22 22:30:31   0 / 150658560   2
15333   2014-03-22 22:23:18   0 / 151505920   7
15332   2014-03-22 22:15:22   0 / 151298560   12
15331   2014-03-22 22:09:12   0 / 151126528   5
15330   2014-03-22 22:03:27   0 / 150529536   7
15329   2014-03-22 21:57:37   0 / 150871040   10
15328   2014-03-22 21:51:47   0 / 152092672   21
15327   2014-03-22 21:45:37   0 / 152955392   26
15326   2014-03-22 21:39:22   0 / 151446528   2
newbie
Activity: 56
Merit: 0
To everyone who is having their miners redirected to the unexpected ip address...  What type of router equipment are you using on your network?  The brand and model of the unit is not as important as whether it runs its own dns forwarding server.

If you are uncertain, check your computer ip configuration to determine if the dns server it contacts the internal ip address for your router (private lan 192.168.x.x in most cases) other dns servers out on the internet.  If you can post which is the case, that will help in determining the cause of this problem.

miners can change their dns to google's 8.8.8.8 to see if it still works "strange" no?
full member
Activity: 168
Merit: 100
both my miners had switched to 206.223.224.2 - cgminer (bamt) and cudaminer (win7), both rigs using google public dns 8.8.8.8.

Doing lookup on the bad ip:

nslookup 206.223.224.2
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    true.fiberpimp.net
Address:  206.223.224.2



wafflepool now resolves properly:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

While that sounds conclusive on the surface, did you ever run "nslookup useast.wafflepool.com" on dns server 8.8.8.8 and receive address 206.223.224.2 as a result?  And wasn't it 206.223.224.225 that we are all talking about?
newbie
Activity: 56
Merit: 0
Whoever is seeing the DNS issues, can you post what your DNS is, any any lookups and results for our endpoints?  We haven't changed anything in terms of DNS in weeks, and its very disconcerting that multiple people are seeing this.

Name:   uswest.wafflepool.com
Address: 192.241.211.125
Name:   useast.wafflepool.com
Address: 162.243.89.19
Name:   eu.wafflepool.com
Address: 95.85.61.208

all VIA ISP DNS (I'd rather not say who)

The next time the problem occurs I'll give you a network capture of it!

Please do, I've got an email from another person seeing the same thing (disconnect after a while and on reconnect, getting a different pool entirely).  Which is very disconcerting....

pw, I sent you a pm containing some information that I decided not to leave posted publicly, as whoever is responsible for this is likely reading this thread.

since it is obvious that some one compiled cgminer or sgminer with a worm within, you probably should publicly post it here. and after that we will find the trojan link. omg do you think it is deeper... in wifi router's dns settings ?

Jump to: